Be able to login to bank

Discussions about the Application Boundaries Enforcer (ABE) module
fatboy
Junior Member
Posts: 47
Joined: Fri Jul 25, 2014 6:56 am
Contact:

Re: Be able to login to bank

Post by fatboy » Tue Mar 14, 2017 8:49 pm

In this case, start.me can be sent requests not only to online.citi.com/US/JRS/portal/index.do
If you think that it is fine, then let it be.
Thank you very much.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 SM/2.38 NS/2.9.0.12

barbaz
Senior Member
Posts: 9038
Joined: Sat Aug 03, 2013 5:45 pm

Re: Be able to login to bank

Post by barbaz » Tue Mar 14, 2017 10:20 pm

Ah, now I see what you're saying. Sure, something like this could likely work -

Code: Select all

Site https://online.citi.com/US/JRS/portal/index.do
Accept from https://start.me/* .citi.com
Deny
Site .online.citi.com
Accept from .citi.com
Deny
It does reduce attack surface slightly, but not by that much. Especially since only the https version of start.me is allowed to link the bank site, and you're already trusting start.me not to abuse it.
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Be able to login to bank

Post by Thrawn » Wed Mar 15, 2017 3:28 am

To allow linking, you could adjust it to:

Code: Select all

Site https://online.citi.com/US/JRS/portal/index.do
Accept from .citi.com
Anon GET from https://start.me/*
Deny
Site .online.citi.com
Accept from .citi.com
Deny
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0

Post Reply